Rekey fails with Vault 500 error and PGP message

Our last successful rekey was on March of this year, but now we are running into issue. Some background, we are going from a key shard of 6 to 5 while keeping a threshold of 2. We use Keybase for our keys.

I’m able to init the rekey, the first recovery key goes fine, however when the second recovery key is entered we get the following message and unseal goes back to 0/2.

Error posting unseal key: Error making API request.


Code: 500. Errors:

* failed to encrypt shares: error setting up encryption for PGP message: openpgp: invalid argument: cannot encrypt a message to key id 28b60e8235d8834e because it has no encryption keys

I’m looking for any possible clues to what to look at next to try and resolve this. Thanks.

Update one this, we found the user who last rekeyed had updated their PGP key in Keybase. The workaround was to rekey not using that user, then once they fix their PGP key in Keybase we add them into the rotation.